Received: by 10.213.65.68 with SMTP id h4csp103imn;
        Mon, 12 Mar 2018 15:01:20 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsL8BNav+ZLBCobuvk/LesG+6QtfQAnLgJTMMPw/rwxAKLEyGoYXC7reZB6JnIWYy/9bydD
X-Received: by 2002:a17:902:a607:: with SMTP id u7-v6mr9493378plq.367.1520892079519;
        Mon, 12 Mar 2018 15:01:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520892079; cv=none;
        d=google.com; s=arc-20160816;
        b=pRQoPyMqQhRu1hIddY8VMAHwKX9wS75Fq8UkykMCe9+U1IcC2btK6jd7+5r2FrELyl
         8Ya0AvYGKEWU///GzRYADJEjES6nb3uQ0g7/AHe01HVk63QdY+NePNHMbSU+nP7LF9zF
         LodcvXXdMN4DNss5dX8pBVLSC7wdiqfFLRRp1s7aGDLvmVUPRsMBA2RWXVNNdebfegLE
         nsqBliiyKuIp39NkneL6iSWP0VZMAGJk1BhSZw8EqTBBeG1cyZMoM3gz8mM/5lNSCvWp
         tKrPLYuWQB5l+oLhIdJ7UkD59pl3J9ukjumnHijLKyk8+oIqLoVboR36gDw1aPHDJJ5d
         61Ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=v4oqsTpXU1MRpm5VQuEdrlwmS2W12lusdE9dkqUGoEs=;
        b=Y+56TzZQUp6wrEnNH4QCrhJzaGNDgZCd11P83X61j6gg8h9wbfrbFZnsAobPlColL5
         7D14APhj4QT2QEXPcmirk22PfAPmLg6/0SoxVb50cR/GIwVdzvxjkyz+Emj4fZNaEJ44
         u8Cla0LjSBNHxQBVyqTtsgaKinuOTIQVajmEiuvRO1ZXGmMj8oSQYLibd0V/J1BZSNaO
         b7YPVIg7t52dVxP45BI/fxL4jk/fr2ewHDxOiTv0OOKfQqJLShrJyYwFAORPSWW88Mwr
         Cj2k4NiOI1QOGO3U2Y/zZalm/7A+nLqzQsPIVOA4sP+fIzCkvrSfj8OKTuirDHj1tSmO
         L30A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ziepe.ca header.s=google header.b=G0kTiZcQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v32-v6si6587285plb.301.2018.03.12.15.01.03;
        Mon, 12 Mar 2018 15:01:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ziepe.ca header.s=google header.b=G0kTiZcQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932246AbeCLWAG (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Mon, 12 Mar 2018 18:00:06 -0400
Received: from mail-wm0-f65.google.com ([74.125.82.65]:35010 "EHLO
        mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932102AbeCLWAE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Mar 2018 18:00:04 -0400
Received: by mail-wm0-f65.google.com with SMTP id x7so19020148wmc.0
        for <linux-kernel@vger.kernel.org>; Mon, 12 Mar 2018 15:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ziepe.ca; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to
         :user-agent;
        bh=v4oqsTpXU1MRpm5VQuEdrlwmS2W12lusdE9dkqUGoEs=;
        b=G0kTiZcQYQ91wPDL+oH1nsNByRFKcdRwabAeKzBwUs3TuaJKDHRgx5LeE7YM4trsQy
         LNeb7V/rmqmEzUyr60oaoi7znaB55Mk7BNCXx+VGAfXpEMhhbDU+EuY3Sg91iSsjmOhv
         fDoC1AYPyhFNJoSL3E6EJXRXVBYUiIuydY2xE9eZY6hJPj8Rw32sdPf61d0JXfS46AWi
         +2CDJ5zDcCF0RQc/ZH48RSHF0b7TY9UALsNfAyCzV12RgAvlJRUPgJUHjhyrxH7zgRWN
         tI97zMEPfHug1KVHuhYlGhNnqzspLCtP0VuyJCqOgC36jBXlu3LWYaW1FHmimNoK7cXA
         XZbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=v4oqsTpXU1MRpm5VQuEdrlwmS2W12lusdE9dkqUGoEs=;
        b=CBZC8Fi1ydkFrLlADxCx3GqTVEJU0Vudb8ukg6Cv5l6vKNf3ZT2oimmUSnjKuSGWT5
         GZ+oNJrdWwqq4oKhiSZ8PzOsCi5Xql9K4oCXeF1dRXZ6mbGuETLXkezeM1JPP+Q3Cuze
         iupG9Mj8ROJYxgb9ctnXV721GSUUVpvD2YY3iHdS3DjjN8W0f7bw2e35rBOz4wOrc7LE
         K7xBycD0Z/ImOWvzJhX5a/icFtK0bkLA17s61eUIahccrYhEcnV8bO/tzg9lNAEoCjSi
         kfRwZuK0fKAW5Qw3f+iKpy4TNKY0Z0f5F6a9OEXpxAncZPFjdYTyMq8SPgO0t7re4QIB
         12vw==
X-Gm-Message-State: AElRT7EExfT5lex70p4Wnl2RJ4+wVa7nFAiC3Fomjc4AnMOO2H2AKPg6
        gofWB6nrKZ5oCo8jScTIlsarSQ==
X-Received: by 10.28.165.12 with SMTP id o12mr6590942wme.120.1520892003184;
        Mon, 12 Mar 2018 15:00:03 -0700 (PDT)
Received: from ziepe.ca (S010614cc2056d97f.ed.shawcable.net. [174.3.196.123])
        by smtp.gmail.com with ESMTPSA id b99sm10591567wrd.75.2018.03.12.15.00.01
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 12 Mar 2018 15:00:02 -0700 (PDT)
Received: from jgg by mlx.ziepe.ca with local (Exim 4.86_2)
        (envelope-from <jgg@ziepe.ca>)
        id 1evVU5-0001N2-Lv; Mon, 12 Mar 2018 15:59:57 -0600
Date:   Mon, 12 Mar 2018 15:59:57 -0600
From:   Jason Gunthorpe <jgg@ziepe.ca>
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     James Bottomley <James.Bottomley@HansenPartnership.com>,
        Jiandi An <anjiandi@codeaurora.org>, dmitry.kasatkin@gmail.com,
        jmorris@namei.org, serge@hallyn.com,
        linux-integrity@vger.kernel.org,
        linux-ima-devel@lists.sourceforge.net,
        linux-ima-user@lists.sourceforge.net,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Safford <david.safford@ge.com>
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
Message-ID: <20180312215957.GI24717@ziepe.ca>
References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org>
 <20180307185132.GA30102@ziepe.ca>
 <1520448953.10396.565.camel@linux.vnet.ibm.com>
 <1520449719.5558.28.camel@HansenPartnership.com>
 <1520450495.10396.587.camel@linux.vnet.ibm.com>
 <1520451662.24314.5.camel@HansenPartnership.com>
 <1520461156.10396.654.camel@linux.vnet.ibm.com>
 <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org>
 <1520615461.12216.6.camel@HansenPartnership.com>
 <1520891598.3547.190.camel@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1520891598.3547.190.camel@linux.vnet.ibm.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:

> Using Kconfig to force the TPM to be builtin is not required, but
> helpful.  Users interested in IMA-measurement could configure the TPM
> as builtin themselves.  Without the TPM builtin, IMA goes into TPM-
> bypass mode.

This issues, broadly speaking, we have lots of TPM drivers, selecting
only some to actually support IMA shows we have some kind of problem
here.

eg a distro on ARM should not have some TPM hardware work with IMA and
some fail just because of this kconfig.

IMHO if we want to do this, then IMA should completely disable modular
TPM drivers across the board.

Or, IMA folks need to figure out how to safely load TPM modules under
their constraints.

But this current kconfig approach is pretty weird..

Jason